Skip to content

fix: ignore case when comparing remote SHA-1 checksums#1600

Draft
algomaster99 wants to merge 2 commits into
mainfrom
claude/keen-gates-keeafe
Draft

fix: ignore case when comparing remote SHA-1 checksums#1600
algomaster99 wants to merge 2 commits into
mainfrom
claude/keen-gates-keeafe

Conversation

@algomaster99

Copy link
Copy Markdown
Member

Fixes #1599.

Problem

When RemoteChecksumCalculator cannot fetch a remote checksum file and falls back to downloading the artifact, it verifies the download against the repository-provided .sha1 file. The comparison was case-sensitive:

String sha1 = ...toLowerCase(Locale.ROOT);
if (!sha1.equals(verificationChecksum)) { throw ... }

A repository manager proxying Maven Central (e.g. a company Nexus/Artifactory) can serve the .sha1 file using upper-case hex digits, while the locally calculated checksum is always lower-case. This produced spurious failures:

[ERROR] Invalid SHA-1 checksum for ... Remote checksum = 'CF17BB...CE8'. Locally calculated checksum = 'cf17bb...ce8'.

Changes

This PR is intentionally split into two commits so CI demonstrates the bug, then the fix:

  1. Add failing test — drives calculateArtifactChecksum against a mock HTTP repository that returns an upper-case .sha1, expecting the artifact's checksum to be returned. Fails before the fix.
  2. Fix — compare with equalsIgnoreCase.

🤖 Generated with Claude Code


Generated by Claude Code

@algomaster99 algomaster99 changed the title Ignore case when comparing remote SHA-1 checksums fix: ignore case when comparing remote SHA-1 checksums Jun 17, 2026
@algomaster99 algomaster99 force-pushed the claude/keen-gates-keeafe branch from 2bf31b0 to 64f4a27 Compare June 17, 2026 11:55
Reproduces issue #1599: when a repository manager serves the .sha1
verification file using upper-case hex digits, RemoteChecksumCalculator
rejects the downloaded artifact because it compares the remote checksum
case-sensitively against the lower-case checksum it calculates locally.

The test drives calculateArtifactChecksum against a mock HTTP repository
that returns an upper-case SHA-1, and expects the artifact's checksum to
be returned. This currently fails.

https://claude.ai/code/session_01UTaAj5R3fTpqRcqHZCBUJ3
@algomaster99 algomaster99 force-pushed the claude/keen-gates-keeafe branch 2 times, most recently from 741ef5d to 843c443 Compare June 17, 2026 12:11
Repository managers proxying Maven Central (e.g. Nexus/Artifactory) may
serve checksum files using upper-case hex digits, while the locally
calculated checksum is always lower-case. Comparing case-sensitively
rejected these as mismatches, producing spurious "Invalid SHA-1 checksum"
failures. Use equalsIgnoreCase so the download verification accepts them.

Fixes #1599

https://claude.ai/code/session_01UTaAj5R3fTpqRcqHZCBUJ3
@algomaster99 algomaster99 marked this pull request as draft June 17, 2026 14:14
@algomaster99

Copy link
Copy Markdown
Member Author

There needs to be investigation about the test. The assertion seems to fail because "" was actual, but it should actually be an uppercase checksum.

@fz-rh fz-rh left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it works fine. Both the test and the fix. Assuming you are able to connect to localhost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RemoteChecksumCalculator should ignore case when comparing SHA-1 checksums

3 participants